Forum Discussion

Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Aug 21, 2022

Re: How to add a timestamp on iRule

Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.

Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. Fetching the irule definition via API from each of the LTMs is a legitimate way of validating that they're all running the same version of an iRule.

catoverflow Here's an example in Python3 without BigIPReport:

 

import requests, hashlib, urllib3, os

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class F5rest:
    def __init__(self, username: str, password: str, device: str, verify_ssl=False):
        self.device = device
        self.username = username
        self.password = password
        self.verify_ssl = verify_ssl
        self._session = None

    @property
    def session(self):
        if not self._session:
            s = requests.Session()

            body = {
                'username': self.username,
                'password': self.password,
                'loginProviderName': 'tmos'
            }

            token_response = s.post(
                f'https://{self.device}/mgmt/shared/authn/login',
                verify=self.verify_ssl,
                auth=(self.username, self.password), json=body) \
                .json()

            token = token_response['token']['token']

            s.headers.update({'X-F5-Auth-Token': token})
            s.verify = self.verify_ssl
            self._session = s
        return self._session

    def get_irule(self, name: str):
        response = self.session.get(f'https://{self.device}/mgmt/tm/ltm/rule/{name}')
        return response.json()

username = os.environ.get('F5_USERNAME')
password = os.environ.get('F5_PASSWORD')

if not (username and password):
    raise ValueError('Missing credentials in environment variables F5_USERNAME or F5_PASSWORD')

device_list = ['bigip.xip.se', 'bigip2.xip.se', 'bigip3.xip.se']

hash = None

for device in device_list:
    f5 = F5rest(username, password, 'bigip.xip.se')
    rule = f5.get_irule('encrypted_time')
    rule_hash = hashlib.md5(rule['apiAnonymous'].encode('utf-8')).hexdigest()
    if hash is None:
        hash = rule_hash
    if not hash == rule_hash:
        # Post Slack webhook here or raise exception
        raise Exception('Hashes does not match')

 

Now, there are multiple ways to skin the cat. You could also inject headers programmatically using your pipeline that shows the version of the iRule, using the iRule itself. Then read the headers in ie. Splunk/elastic and validate that it has changed by monitoring the traffic logs.

If you just want to know the version by manually logging in to each device and checking the irule with your own eyes then Kevins suggestion to put a version number / deploy time as a comment at the top would work too.

Hard to give an exact answer unless we know how you intend to use this. 🙂

8 Replies

Sort By
  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    Aug 21, 2022
    Patrik_Jonsson wrote:

    Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.

    Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. 🙂

    As to your first question... its one or the other ðŸ™‚ You illustrated my point exactly... if you read my post carefully I said unmodified. This means no character has changed therefore the md5 will not change. Now what happens if they re-deployed the same iRule? You will not be able to tell if it has been propagated as the md5 value never changed. 

    • Patrik_Jonsson's avatar
      Patrik_Jonsson
      Icon for MVP rankMVP
      Aug 21, 2022

      They have a pipeline which updates iRules so he'd know if the iRule was successfully updated or not on the device which syncs data to the other devices.

      He want's to make sure that the same iRule is deployed on all devices.  If the md5 is the same, the iRules are the same. I'd say that's a pretty good way to know if the iRules matches across devices or not.

      • Kevin_Davies's avatar
        Kevin_Davies
        Icon for MVP rankMVP
        Aug 21, 2022

        Yes but it does not solve one of the stated goals of the original question - "validate sync between many nodes of the same cluster". What you propose validates they rules are the same but not the sync process is actually working. Why is this not the same thing? 

        I push A to a device and I want to make sure all of my cluster ends up with A.
        Your solution works fine. There is clearly evidence sync is working.
        Now it I push B and I want to make sure all of my cluster ends up with B.
        Again works fine. There is clearly evidence sync is working as B is different from A.
        Now I push B again and I want to make sure all my cluster ends up with B.
        This is where it falls down. Even if the cluster has B already there is no evidence that sync is working because you do not provide a unique discriminator between what your pushing and what is already deployed.